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Abstract. A key property for systems subject to uncertainty in their operating envi- 
ronment is robustness, ensuring that immodelled, but bounded, disturbances have only a 
proportionally bounded effect upon the behaviours of the system. Inspired by ideas from 
robust control and dissipative systems theory, we present a formal definition of robustness 
and algorithmic tools for the design of optimally robust controllers for cj-regular properties 
on discrete transition systems. Formally, we define metric automata — automata equipped 
with a metric on states — and strategies on metric automata which guarantee robustness 
for w-regular properties. We present fixed point algorithms to construct optimally robust 
strategies in polynomial time. In contrast to strategies computed by classical graph theo- 
retic approaches, the strategies computed by our algorithm ensure that the behavioitfs of 
the controlled system gracefully degrade under the action of disturbances; the degree of 
degradation is parameterized by the magnitude of the disturbance. We show an applica- 
tion of our theory to the design of controllers that tolerate infinitely many transient errors 
provided they occur infrequently enough. 



L Introduction 

Reactive software systems that respond directly or indirectly to information coming 
from an uncertain environment are a fundamental component of many mission-critical 
applications — in healthcare, energy-distribution, and industrial automation — with enor- 
mous societal impact. It is widely recognized that the current design and verification 
methodologies fall short of what is required to design these systems in a robust yet cost- 
effective manner. 

Current approaches to system design and verification are only able to differentiate be- 
tween absolutely correct behaviour and incorrect behaviour, providing no way of quanti- 
fying precisely the effects of errors. Hence a catastrophic failure is indistinguishable from 
a small deviation and no guarantees as to the resulting effects on the nominal system be- 
haviour may be made. Clearly, this view is overly restrictive. First, reactive systems need 
to operate for extended periods of time in environments that are either unknown or difficult 
to describe and predict at design time. For example, sensors and actuators may have noise, 
there could be mismatches between the dynamics of the physical world and its model, 
software scheduling strategies can change dynamically. Thus, asking for an environment 
and program model that encompasses all possible scenarios places an undue burden on the 
programmer, and the detailed book-keeping of every deviation from nominal behaviour 
renders the specifications difficult to understand and maintain. Second, even when certain 
assumptions are violated at run-time, we would expect the system to behave in a robust 
way: either by continuing to guarantee correct behaviour or by ensuring that the resulting 
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behaviour only deviates modestly from the desired behaviour under the influence of small 
perturbations. Unfortunately, current design methodologies fall short in this respect: since 
the effects of errors cannot be explicitly quantified no guarantees may be made that small 
changes in the physical world, in the software world, or in their interaction, still result in 
acceptable behaviour. 

In this paper, we present a theory of robustness for systems modelled discretely using 
automata. We are inspired by the well developed notion of robustness in continuous control 
theory, and the tools and methodologies which have been successfully applied therein. 
In the continuous world, the designer specifies the control system for the nominal case, 
ignoring the potential effects of errors on system behaviour and performance. The design 
methodology is such that guarantees may then be made as to the degree of degradation 
of functionality of the controlled system under disturbances of bounded power. We aim 
to provide a similar theory and algorithmic tools in the presence of discrete changes on 
the one hand, and in the presence of more complex temporal specifications — given, for 
example, in linear temporal logic (LTL) or as w-automata — on the other hand. We do this 
in three steps. 

First, robustness is a topological concept. In order to define it, we need to give meaning 
to the word "closeness" or "distance." For this, we define a metric on the system states. 
Second, instead of directly modeling the effect of every disturbance, we model a nominal 
system (the case with no disturbance), together with a set of (unmodeled) disturbances 
whose effect can be bounded using the metric. That is, while making no assumption on the 
nature or origin of disturbances, we assume that the disturbances can only push the system 
to a state within a distance 7 of the nominal state. Third, under these three assumptions, 
we show how we can derive strategies for oj-regular objectives that are robust in that the 
deviation from nominal behaviour can be bounded as a function of the disturbance and the 
parameters of the system. 

To illustrate this last point, consider reachability properties OF, where the system tries 
to reach a given set of states F. We provide fixed point algorithms which compute strate- 
gies that ensure F is reached in the nominal case, and additionally, when disturbances are 
present of magnitude 7, guarantee that the system reaches a set F' which contains states 
at a distance of 0-7 or less from F, where a £ . Hence we may regard cr as a measure 
of robustness of this strategy. We also provide guarantees that the resulting inflation in 
the size of the acceptance set is indeed optimal. Additionally, we show that an arbitrary 
strategy obtained through classical automata-theoretic constructions (e.g., [18,, 301) may 
provide trivial robustness guarantees (e.g., a bounded disturbance can force the system to 
reach any arbitrary state). We show how similar arguments can be made to provide robust- 
ness bounds for Biichi and parity (and thus, for all LTL) specifications under the presence 
of disturbances. 

Technically, our constructions lift arguments similar to arguments in robust control 
based on control Lyapunov functions to the setting of w-regular properties. For reachabil- 
ity, the correspondence is simple: we require that the strategy decrements a "rank function" 
at a rate that depends on the distance to the target. For parity, the argument is more tech- 
nical, and uses progress measures for parity games |14, 20|. Finally, we provide simple 
fixed point methods to compute optimal robustness bounds and strategies attaining these 
bounds. 

We also consider a simple application of our theory to the synthesis problem in the 
presence of transient faults. We show how, using our methodology, we can algorithmically 
synthesize controllers for LTL objectives which provide a time-space tradeoff whereas 
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classical automata-theoretic techniques may not be able to provide any such property with- 
out first explicitly modelling all of the parameters of the fault in detail. 

Related work. The work presented here is inspired by the theory of robust continuous 
control (TF. ^29] and the theory of infinite games with w-regular objectives on discrete 
graphs [10,, 25, 30 1- There has not been much previous work combining robustness with 
automata theory. In discrete control systems, tolerance to errors is achieved by explicitly 
modeling faults and then solving a game assuming that the adversary determines when 
faults occm- 1 11 1. As mentioned earlier, the enumeration of possible faults can be tedious, 
if not impossible, at design time. Topologies for hybrid systems 0121] have been examined 
before, but the interactions with w-regular specifications have not been. 

Qualitative notions of fault tolerance have been studied in distributed systems, for exam- 
ple, by designing algorithms to be "self-stabilizing" on perturbations ||9l, or by requiring 
that an invariant is eventually restored after an error ("convergence") or that the system 
satisfied a more liberal invariant under an error ("closure") UJ- However, quantitative 
notions, relevant to discrete systems, have not been studied. Our synthesis procedure pro- 
duces strategies which satisfy quantitative notions of closure and (under some assumptions 
on the rate of faults) convergence. 

In a series of papers ||4]|5]|3l[8l, robustness measures are developed by comparing the 
number of environmental errors and the number of resulting system errors using cost func- 
tions. Bloem et al. |5| define k-robustness: roughly speaking, a system is fc-robust if the 
ratio of system to environment errors is k. In general terms, the synthesis approach pre- 
sented here results in cr-robust strategies for constant disturbance bounds, where cr is a 
constant associated with the rank function which serves as a formal characterization of the 
strategy. We demonstrate methods to construct strategies with optimal a values. Moreover, 
we work in a simpler model, where the only adversarial action is the bounded disturbance, 
while the work of Bloem et al. considers an explicit adversary. Our framework has the 
advantage of leading to simple polynomial-time algorithms for synthesis, but may provide 
more conservative results than the game-solving algorithms from f3l when robustness is 
sought in the presence of explicit adversaries. A more detailed technical comparison with 
their work is provided in Section[3] 

Tarraf et al. f24l develop a framework for quantifying robust stability in finite Mealy 
machines by extending classical notions of gain stability from control theory. The focus is 
upon input-output stability and, although we adopt a state-space approach, the results de- 
rived in this paper for reachability are similar. However, we go beyond simple reachability 
properties and consider also Biichi and parity requirements. A more technical comparison 
appears in Section[3] 

Measures of robustness against transient fault models have been studied in the context of 
combinational circuits and FPGAs L12.,13.,15.,19J . but extensions to temporal behaviours 
have not been considered. 



2. Preliminaries 

Let Q be a (finite or infinite) set. A function d : Q x Q — > is called a metric or 
distance function for Q if for all p,q,r G Q, we have 

(i) d{p, (?) = if and only if p — q (identity of indiscernibles); 

(ii) d{p,q) = d{q,p) (symmetry); 

(iii) d{p, r) < d(p, q) + d{q, r) (triangle inequality). 
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The pair (Q, d) where Q is a set and d is a metric for Q is called a metric space. Using 
a metric d we define the distance from a single state g e Q to a set of states Q' C Q as 
d{q, Q') = infg/gQ/ q'), the shortest distance from q to some element of the set Q' . 

A function i? : Q — > K is Lipschitz continuous if there exists some constant -fsT > 
such that for any two states g' e Q: 

that is, the absolute value of the difference between the images of q and q' is bounded 
above by a constant multiple of the distance between q and q' for every pair of states in Q. 
The value K is called the Lipschitz constant of the function R with respect to the distance 
d. Note that if the set Q is finite then every real valued function of Q has this property. 

We model discrete control systems using automata. Intuitively, we consider a "nominal" 
automaton modeling the undisturbed dynamics of the system, and add a set of disturbance 
actions which can perturb the nominal behaviour. We consider a very general model for 
the disturbances by simply requiring their effects to be bounded but otherwise arbitrary. 

For a set E of symbols we let S* represent the set of finite strings of symbols from E, 
and let E" denote the set of infinite strings over S; we let A denote the empty string. The 
notation |E| represents the cardinality of the set E and E+ is the set of non-empty finite 
strings over E. A (metric) automaton is a tuple A = ((Q, d), qo, E, X, 6, 7), where 

• Q is a set of states and (Q. d) is a metric space; 

• (Zo € Q is the unique initial state; 

• E is a set of (system) input actions; 

• X isa set of disturbance indices including a special symbol e signifying "no dis- 
turbance"; 

• S: Qx'ExX^Qis the transition function specifying the next state given the 
current state, the input letter chosen by the system and some member of X chosen 
by the environment and finally 

• 7 : Q — >^ Mg is a real-valued function such that for each p G Q and for every 
a e E such that 6{p, a,e) = q for some q G Q 

d{q-, ^(P) 0,1 x)) < 7(9) for every x G X. 

Note that the disturbance bound is defined with respect to the target state of a given 
transition, and not the source state (that is, the inequality above is bounded by 7(p) and 
not 7((j')). It would be a straightforward matter to reformulate the results herein with 7(p) 
replaced by " ((/). 

An automaton is finite if Q, E, and X are all finite sets. For an automaton A, we 
define the undisturbed or nominal automaton, written A^^, as the automaton resulting from 
restricting the set of disturbance indices X to the singleton {e}. For g <E Q, a G E and 
a; € X we use the shorthand q°'^ to denote the state 6{q, a, x). We let 7 = sup^^p. liq)- 
If 'y{q) = 7(p) for allp,q G Q we say that A has constant disturbance bound and hence 

7(9) = 7 for ^11 q & Q- 

Intuitively, the undisturbed automaton models the "nominal" behaviour of an automa- 
ton, and the set of disturbance indices X models possible environmental disturbances to 
the nominal behaviour (the symbol e E X thus represents the case where there is no dis- 
turbance). The function 7 limits the effects of the disturbances with respect to the nominal 
behaviour at each state q\ when an action a is chosen, the disturbances can cause a state 
at most distance jiq"""^) away from the nominal state to be reached instead. As a special 
case, if j{q°'^) = 0, then the distmbances have no effect on the nominal behaviour (i.e., 
qux _ gae Jqj. gj^pjj a g 5], and x G X). 
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A trace t E Q* U of the automaton yl is a (finite or infinite) sequence of states 
T = qoQiq2 ■ ■ ■ from Q such that is the initial state of the automaton, and there exist 
inputs flQ, fli, a2, . . . and disturbances xo,xi,X2, ■ ■ ■ with 5{qi,ai,Xi) = q-i+i for « > 0. 
For q E Q we write q E t and say the state q appears on the trace t if q — qi for some 
i > 0. A nominal trace is a trace in the nominal automaton A^, that is, t is such that Xi = e 
for all i > 0. For a finite trace r = go^i ■ ■ ■ qn & Q* , we define |r| = n + 1, the length of 
r. 

The proposed model for the disturbances encompasses a wide range of concrete appli- 
cations ranging from the discrete to the continuous world, as illustrated by the next two 
examples. 

Example 2.1. [Digital Design with Single Bit-Flips] Consider an automaton A modeling 
a state machine whose states are encoded using a binary Gray code 12711 . Each state of A is 
a sequence of n bits, and neighbouring states differ in only one bit. Disturbances occur as 
single-event upsets which can cause a single bit in the state to flip. The distance function 
for the automaton is defined to be the Hamming distance between n-bit strings. The set of 
disturbance actions X C {0, 1}" contains all binary strings of length n with at most one 
non-zero digit. Under this definition, e is equal to the binary string of length n consisting 
entirely of zeros. The transition function 6 for A is defined from the transition function 
6e of A^ by 6{q, a, x) = 5e{q, a) (B x for any q E {0, 1}" where ® is the XOR function. 
Hence, the potential effect of the disturbance is bounded by the constant 7 = 1. 

Example 2.2. [Robust Control] Consider a continuous control system in discrete time 
which may be viewed as an infinite-state automaton with transition function 5 : M" x 
M™ X ]RP ^- M". The state set is M", the input alphabet is M™ and Rp is the set of 
environmental disturbances. Disturbance signals x : N are often used as a lumped 

representation for several sources of uncertainly such as measurement errors or errors in 
the model of the transition function. Hence, the disturbance signals are assumed to be 
arbitrary but of bounded amplitude, that is, ||a;(fc)|| < 7' for some constant 7' E Rq, some 
norm || • || on MP, and every fc e N. A further typical assumption is Lipschitz continuity of 
6. It then follows from these two assumptions that 

\\5iq,a,x) - Siq,a,0)\\ < K'\\x - 0\\ < K'y 

where K' is the Lipschitz constant. Therefore by defining the distance function d as 
d{y, z) = \\y — z\\ we conclude that the system in this example has constant disturbance 
bound 7 E equal to K'^y'. 

We make certain natural assumptions as to the connectedness of the automata we con- 
sider. In order to elucidate these assumptions we define the following notions. A state 
q E Q is (nominally) reachable if there exists a finite (nominal) trace connecting qo to the 
state q, and (nominally) coreachable with respect to some set of states Q' C Q if there 
exists a finite (nominal) trace connecting q to some state in Q' . If every state in Q is reach- 
able (resp. coreachable w.r.t. Q') we say that A is reachable (resp., coreachable w.r.t. Q'). 
Throughout the following we will assume that every automaton we consider is reachable. 

We associate acceptance conditions with automata to distinguish between "good" and 
"bad" traces. A reachability condition is a set _F C Q of terminal states. A reachability 
automaton [A, F) consists of an automaton A together with a reachability condition F. A 
finite trace of the automaton A satisfies the reachability condition F if and only if it ends 
at some state in the set F. We make the following assumption for all reachability automata 
in the paper. 
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Assumption 2.3. The automaton A is nominally coreachable with respect to F. 

A Bilchi automaton [A, F) is an automaton A together with a Bilchi acceptance condi- 
tion F C Q. For an infinite trace t = q^qi . . . E let 

C(r)-{qeQ|Vi>03j>z,g, -q} 

denote the set of states appearing infinitely often on r. A trace r e satisfies the Bilchi 
acceptance condition F if and only if C(t) nF 7^ 0. In other words, there exists at least one 
state in the set F which features infinitely often on the trace. We again make Assumption 
lO 

A generalized Bilchi acceptance condition is a set of the form ^ — {-Fqi • • • Fn-i} and 
consists of a finite number of subsets of the state set Q. An automaton A paired with such 
an acceptance condition is called a generalized Biichi automaton. An infinite trace r G Q'^ 
of A satisfies the acceptance condition if and only if C(t) n 7^ for i = 0, . . . ,n— 1. 
We ask that the following assumption is satisfied. 

Assumption 2.4. The generalized Biichi automaton A is nominally coreachable with re- 
spect to Fi for i ~ 0, . . . ,n — I. 

The justifications for this assumption will be discussed further in Section [?!2] 
Finally a parity automaton {A, ^) is an automaton A together with a parity acceptance 
condition consisting of a finite number of pairwise disjoint subsets of the state set Q: 
^ = {F\ , . . . , F^n+i] with Fi OFj =0 for i ^ j- The parity of a state q G Q is the index 
i of the unique set Fi containing q, if any, and undefined if there exists no such Fi. A trace 
T e of A satisfies the acceptance condition ^ if and only if the least parity amongst 
the states in the set <^{t) is even. Note that we allow the set of states to be partially colored 
II30II : the set Di^i^Pi may not necessarily cover Q. The connectedness assumption for 
parity automata is the following. 

Assumption 2.5. Each state q £ Q in the parity automaton A is nominally coreachable 
with respect to some set of even parity F2i, and if q has odd parity, then it is nominally 
coreachable with respect to some F2i where 2i is less than the parity of q. 

The reasoning for this assumption will be given in Section [53] 

A strategy for an automaton A is a function S : — > 2^ specifying input choices 
for each finite trace. Given a strategy S, the set of outcomes is the set of traces go^i • ■ • 
on which qo is the initial state of the automaton, and for each i > there exists a; e 
S{qo . ■ ■ qi) with g^+i = S{qi, Qi, x) for some x £ X. A nominal outcome of a strategy is a 
trace go<Zi'Z2 • ■ • where qo is the initial state and for each « > we have q^+i = S{qi, a;, e). 

A strategy S is memoryless if S{w ■ q) — S{w' ■ q) for all w, w' £ Q* and q G Q, that 
is, if it depends only on the last state on the trace. In this case, we omit the (irrelevant) 
prefix, and consider a strategy to be a function from Q to2^. 

A strategy S is called deterministic if for all q G Q, \S{q)\ = 1. If a strategy does not 
have this property we say that it is non-deterministic. 

For a state q G Q of a reachability or Biichi automaton with acceptance set F and 
strategy S, let T^{q, Q') denote the set of nominal traces connecting q to an element of 
the set Q' C Q. Note that if S is deterministic the set T^{q, Q') will contain only one 
trace for each q\ we abuse notation and let T^{q, Q') denote this unique trace directly. Let 
Reachs{q) C Q denote the set of states in A reachable from q via a finite trace resulting 
from the system following strategy S and any environmental action, and let Reachsriq) 
denote the set of states in A reachable from q via a finite trace resulting from the system 
following any strategy S and the environment following strategy T. 
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A disturbance strategy is a function from x E to X. Let S : — > 2^ be a 
strategy and T : x I] —?' X a disturbance strategy. An outcome go?! • • • of and 
T is a trace on which qo is the initial state of the automaton and for each i > we have 
qi+i = S{q^,a,T{qo . . .qt,a)) for a G ^(go ■ • -^i)- 

Let {A, F) be an automaton together with an acceptance condition. A strategy is nom- 
inally winning in A if every nominal outcome satisfies F. It is known that reachability, 
Biichi, and parity conditions admit memoryless nominally winning strategies [ lOj. A strat- 
egy S is winning if for every disturbance strategy T, each outcome of S and T satisfies 
F. 

For a finite automaton A and memoryless strategy S* : Q — > 2^ let A\s denote the 
automaton resulting from restricting the behaviour of A using S. That is, the automaton 
A\s has 

• State set — Reach s{qa) C Q with distance function d; 

• Initial state qo; 

• Input alphabet S; 

• Disturbance alphabet X; 

• Partial transition function Ss : x T,^ x X ~> with 5s{q, ci, x) — 6{q, a, x) 
if a e S{q), that is, 5s is equal to 5 restricted to by S; 

• Disturbance function 75 : M.q which is the restriction of 7 to . 

We are now able to introduce our definitions of robustness. 

Definition 2.6. A nominally winning strategy S for a reachability or Biichi automaton 
{A,F) is a-robust if S is winning for the automaton {A,F') where F' = {q E Q \ 
d{q, F) < a^}. 

A nominally winning strategy S for a generalized Biichi automaton {A, ^) is a-robust 
if 5* is winning for the automaton (A, J?') where ^' — {Fq, . . . , F'^_^ with 

Fj = {geQ|d(g,F,)<a7} 

for j = 0, . . . , n — L 

A nominally winning strategy S for a parity automaton (A, ^) is a-robust if S is win- 
ning for the automaton {A, .^') where ^' = Fi, f^, . . . , F2„+i} where 

F^, = {geg|d(g,F2,)<c77} 

for i = 0, . . . , 71. 

We show a simple example illustrating our definitions. 

Example 2.7. Consider the reachability automaton F) with Q = {go, • ■ • , ge}, ^ = 
{a, &} and F = {ge}. The automaton A is equipped with a distance function d : Q x Q ^ 
KJ. The relative distances of the states in Q are presented in Table[r|and are approximated 
by the relative arrangement of the states in the automaton in Figure [T] The disturbance 
function is defined as 7(g) = 1 for all g G Q and the nominal behaviour is defined as 
shown in Figure [T] Since the disturbance bound is constant we shall refer to it simply as 
7-1- 

Let 5*;, : Q — >■ S be the deterministic memoryless strategy which chooses e E for 
every q £ Q, and let Sa '■ Q ^ be the deterministic memoryless strategy which chooses 
a e E for every q <E Q. Clearly both Sb and Sa are nominally winning for the reachability 
condition; they are equally good strategies in classical automata theory. 

Consider the result of applying the strategies and Sa in the disturbed automaton A. 
First note that the unique nominal trace connecting the initial state go to the terminal state 
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Figure 1 . The undisturbed automaton Af 
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Table 1 . The distance between states in the automaton A^^ of Figure[r| 



qe resulting from applying Sb is <Zo9i96- Inputting b at state qo could result in reaching any 
of the states in the ellipse on the left and hence it is possible that the system may remain in 
state (7o indefinitely. Then since qo is at a distance of 5 from the terminal state qg, a trace 
implementing Sb is only guaranteed to reach a state at distance 5 or less from F. Therefore, 
in the disturbed automaton, strategy Sb is winning with respect to the inflated acceptance 
condition Fb = {q £ Q \ d{q, F) < 5} as shown in Figure[r|and Sb is 5-robust. 

Now consider the strategy Sa- The nominal trace connecting qo to qo for this strategy 
is (7o939596- Note that d{qo, (73) and d((73; 95) are both greater than the power of the distur- 
bance 7=1. Therefore in the disturbed automaton progress is still being made towards 
F until we reach ^5 which is at a distance of 1 from F. Hence the strategy Sa is winning 
with respect to the inflated reachability condition Fa ^ {q E Q \ d{q, F) < 1} as shown 
in Figure [T] and Sa is 1 -robust. 

In classical automata and game theory (e.g., ||30l ). the outcomes of the two strategies 
are indistinguishable: both strategies reach the set F ~ {qo} in the nominal case, and may 
result in traces which never reach F when disturbances are present. However, the metric d 
provides an extra method of comparison: the distance from F as a function of the bound 
on the disturbance 7. With this in mind it is obvious that the strategy Sa is a better choice 
for the automaton A. 

We discuss the construction of the two strategies Sb and Sa in Section[3] 
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3. Reachability 

In this section we provide methods to verify the robustness of strategies for finite reach- 
ability acceptance conditions, as well as algorithms to synthesize optimally robust strate- 
gies. The definitions presented are based upon ideas from continuous control and provide 
the foundations for dealing with more complex infinite acceptance conditions in the fol- 
lowing sections. 

Let ( A, F ) — {{Q,d),qQ,Y.,S, X,j, F) be a reachability automaton satisfying As- 



sumption 2.3 A (reachability) rank function with respect to F is a function Rp : Q ^ Mq 
where Rf{q) = if and only if q E F, and there exists a monotonically increasing func- 
tion a : — > satisfying a{0) = and 

(1) a{diq, F)) < Rpiq) forallgeQ. 

A rank function Rp is, said to be a control Lyapunov function if there exists a monotonically 
increasing function / : Rq — Rq satisfying /(O) = and such that for each q e Q\F 
there exists some a £ S with 

(2) Rpiq''')-Rpiq)<-fid{q,F)). 

We exclude states in the set F since we exclusively consider finite reachability conditions 
of the form <>F. By asking that Rp satisfies inequality Q at every state in Q one may 
also reason about acceptance conditions of the form OnF ("eventually always F") in the 
same manner 

A control Lyapunov function Rp induces one or more memoryless strategy functions 
S defined by mapping a state q E Q to some subset of the inputs a e E which satisfy 
inequality 

The existence of a control Lyapunov function relies upon the nominal coreachability 
assumption with respect to F. This is a natural assumption in certain applications, such as 
in the control of physical systems, but it is typically not satisfied in the normal treatment of 
reachability of discrete systems. However it is straightforward to restrict the state set of the 
automaton to exclude states from which the set F cannot be reached via a finite nominal 
trace. 



Theorem 3.1. Let [A, F) be a finite reachability automaton satisfying Assumption 2.3 A 
memoryless strategy S is nominally winning with respect to F if and only if there exists a 
control Lyapunov function Rp such that S can be induced from Rp. 

Proof. Let {A, F) be a reachability automaton and let Rp be a Lipschitz continuous con- 
trol Lyapunov function with respect to F. Define S : Q 2^ hy S{q) = {a e E | 
a satisfies inequality (|2|}. Let t = qoqi ... be a nominal outcome of S in A. Since ^ 
holds for every q on the trace r and the function Rp is non-negative, Rp decreases along r 
and necessarily reaches zero in finitely many steps. It then follows from ([T]) that d{q, F) is 
also zero for some q E t appearing in r after a finite prefix since d{q, F) < a^^{Rp{q)) 
where the inverse a^^ is also a monotonically increasing function vanishing at zero. 

Now let 5 : Q — >■ 2^ be a nominally winning strategy for (A, F), and let rj : Rq — > Rq 
be a monotonically increasing function. We define a weighted digraph G = (Q, E) in 
which there exists an edge {q, Xq, q') £ E with Xq = rj{d{q, F)) if and only if 6{q, a, e) ~ 
q' for some a E S{q). For each q E Q define 

R(q) = mill > Xg'. 

rerSiq^P) ^ 
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Note that the definition above is indeed well formed: every trace in the set T^{q, F) is 
simple (that is, one without loops) by definition and therefore each state in Q may appear 
at most once on such a trace. 

Observe that r]{d{q, F)) < R{q) for all q £ Q and hence that i? is a reachability rank 
function. Also since R{q) > R{6{q,a,e)) + ri{d{q,F)) for every a £ S{q) we may 
trivially observe that 

Ri6{q,a,e))-Riq)<-7^idiq,F)) 

for every q £ Q and the function R is indeed a control Lyapunov function. 

By definition the function R satisfies inequality Q at a state q for an input a e S if 
and only if a G S{q), and therefore the strategy induced from R will be precisely S as 
required. □ 

Control Lyapunov functions provide a method for the verification of robustness of po- 
tential strategies. For a system with a constant disturbance bound, the following theorem 
describes the "graceful degradation" or robustness properties possessed by strategies in- 
duced from control Lyapunov functions. When disturbances are present, a nominal out- 
come is not guaranteed but no catastrophic failure will occur. Instead, the deviation from a 
nominal outcome is linearly bounded by the power of the disturbance, and may be explic- 
itly calculated. 



Theorem 3.2. Let {A, F) be a finite reachability automaton satisfying Assumption 2.3 with 
disturbance bounded by 7 and let S be a nominally winning memoryless strategy induced 
from a control Lyapunov function Rp. Then S is a f (Kj) /^-robust winning strategy 
where K is the Lipschitz constant of Rp- 

Proof. Assume that Rp : Q ^ M.'^ is a control Lyapunov function for the reachability 
automaton and let 5* : Q — > 2^ be a strategy induced from Rp. Let T be a 

disturbance strategy and consider an outcome r = go^i • ■ • of 5 and T. We first establish 
the inequality: 

Rp{qn - Rpiq) < - f{d{q,F)) 

for any q appearing in r: 

Rpiq'^'^) - Rp{q) = Rpiq'^'") - Rpiq'^') + Rpiq'^') ^ Rp{q) 

< \Rp{qn-RF{q''')\-f{d{q,F)) 

< Kdiq^-,qn^fid{q,F)) 
- K-f- f{d{q,F)). 

Note that as long as q is sufficiently far from F, the value -~f{d{q,F)) is sufficiently 
negative, and the sum Kj— f{d{q, F)) remains negative. Hence, Rp continues to decrease 
along r. The situation changes when we reach a state q satisfying Kj > f(d{q,F)). 
Hence, an outcome of S and T is guaranteed to reach the set F' — {q £ Q \ f{d{q, F)) < 
K^} (or equivalently, F' = {q £ Q \ d{q, F) < f~^{Kj)}) in finitely many steps and 
therefore S is cr-robust where a = f^^{Kj) /-y. □ 

The case in which the function / is linear, that is, for every x £ R^, f[x) = cx for a 
fixed constant c £ Rq, is worth noting. In this case the expression a = f^^{Kj) /j in the 
above theorem simplifies to a = K/c. 



Although a similar approach to the one provided in the proof of Theorem 3.2 for cal 



culating robustness bounds may be used for automata having state dependent disturbance 
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bounds, the resulting value is likely to be conservative. Indeed, let {A, F) be a finite reach- 
ability automaton and let S* be a memoryless strategy with associated control Lyapunov 
function R. Let 

Q' = {qe Reachsiqo) \ 3p G Reachs{qo),3a G S{p) : S{p, a, e) = qAK-f{q) > f{d{p, F)), } 

the set of states where the control Lyapunov inequality Q may be violated under the effects 
of a disturbance, that is, states q from which the disturbance action can force the system to 
reach a state which is further away from the target set than q. The value of a calculated via 



the method presented in Theorem 3.2 would be 



max{d{q, F)\qe Q'} 
f = — • 

7 

Let q E Q he the state achieving this value, that is, d{q, F) = a-y and let p e Q be the 
state reached by following S at q. If S{p, a, x) ^ Q' for all a: e X \ {e}, a smaller value of 
the bound could be achieved. 

Instead, for systems with state dependent disturbance bounds, we give a dynamic pro- 
gramming algorithm. The operators presented below will form the basis for optimal syn- 
thesis and robustness verification not just for reachability automata, but for the w-regular 
automata which follow in later sections. 

Fix a reachability automaton (A, F), and let Q ~ {qp, ■ • • , (Zm-i}- We characterize 
the optimal robustness bound achievable by a memoryless strategy as the fixed point of a 
certain operator The operator acts upon a vector of size \Q\ ~ m consisting of positive 
real numbers. 

Consider a state q E Q and the objective to reach the set F via a finite trace beginning 
at q. We argue that for any nominally winning strategy S beginning at q, the robustness 
bound a cannot be more than d{q, F)/j, since just by staying at q, the strategy ensures 
that the system is within distance d{q, F) of the final states (c.f. strategy Sb in Example 



2.7 1. Hence the maximal value of a is equal to d{q, F) /j. 

We define a sequence of vectors opi* for i > 0. With the above intuition, we define 
opt"{j) = d{q.j,F) for j ^ 0, . . . ,m - 1. 

For (7 e Q let Posta{q) = {q' \ 3x E X d{q,a,x) = q'} C Q, the set of states 
reachable from q via the input action a. The definition is extended to sets of states in the 
natural way. Further, for words w — wi . . . Wn E S*, we write 

Postw{q) = Posty,^{Postw„^i{. ■ ■ Postniiiq))), 
with the assumption that Post\{q) = q for the empty word A. 
Definition 3.3. Define the monotonic operator g : (Rq)"^ — > (IRq )™ by 



g(opt){j) — mill opt(j), min max opt(i) 

- ' aGE \qiePosta{qj) 



Let opf+^ = g{opt'). 
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Consider the result of applying g once to the vector op<°. As previously stated, opt'^{j) 
d{qj , F) for each I < j < m. Applying g gives the result 

opt^U) = min I opt'^(j), mm ( max opt^(i) ] ] 

\ aeS \q,ePosta,(q,) ) ) 

d{qj , F) , min ( max d{qi , F) 



aeS \qiePosta{qj} 

— mm max d{qi,F), 

aeEU{A} qiePosta(qj) 

where A is the empty word. So opt^{j) encodes the closest the system is able to get to F 
via a trace of length at most one beginning at qj when the environment chooses disturbance 
inputs which are worst-case, that is, the environment's objective is to force the system to 
move as far away as possible from F. Iterating this reasoning leads to the fixed point opt* 
defined by 

opt* (j) — min max d{qi,F). 

we'S* qi£Post^(qj) 

Since the automaton A is finite the fixed point opt* will be reached in a finite number 
of iterations. There can be at most IQj — 1 iterations since this is the longest input word 
labeling a simple path between two states in A, and each iteration can be performed in time 
polynomial in the size of Q. Hence the overall worst case complexity for the algorithm is 
polynomial in the size of Q. 

This algorithm is easily seen to be a simple generalization of the Bellman-Ford short- 
est path algorithm Q, modified to take into account the non-determinism resulting from 
disturbances. 

We first use Definition [33] to verify robustness for a given strategy. Given a nominally 
winning memoryless strategy S for a finite reachability automaton [A, F) the robustness 
bound (J for S is precisely 

opt*{Q) 
c — _ — 

7 

for the automaton A\s where go is the initial state. 

Finally we approach the issue of the synthesis of optimally robust winning strategies. 
Given a finite reachability automaton [A, F) the optimal achievable robustness bound for 

A is 

opt*{Q) 

7 

A memoryless strategy achieving the optimal robustness for (A, F) may be recovered in 
the following way. We define S{q) ~ {a ^ Yi \ qj — 6{q, a, e) and opt*{j) = opt*{0)} \ 
{a e S I q e Postaiq)} if the right-hand side is non-empty, and S{q) = E otherwise. 



Example 3.4. Returning to Example 2.7 we discuss the two rank functions Ri, : Q ^ 
and Ra : Q ^ from which the strategies Sb and Sa are induced. Table |2] lists the 
distance from each state to the terminal state qg and the value of the two rank functions Ri, 
and Ra- 

The function R^ : Q ^ M(j^ is the result of a classical graph theoretic shortest path 
approach - each state q ^ Q is, mapped to the length of the shortest path connecting q to 
some state in F. 

Let T] : Rq — ^ be the monotonically increasing function defined hy x t-^ 2x for all 
X G . Then Ra is a control Lyapunov function since for all g e Q \ {qe} 
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q 


d{q,q6) 


Rb{q) 


Ra{q) 


qo 


5 


2 


18 


qi 


6 


1 


12 


92 


8 


2 


24 


93 


3 


2 


8 


94 


3 


1 


6 


95 


1 


1 


1 


96 












Table 2. The rank functions i?b and Ra for the automaton A. 



For optimal robustness, the vectors opt and opi* are as follows for this example. 



" 5 " 




' 1 " 


6 




1 


8 




1 


3 


, opt* ^ 


1 


3 




1 


1 




1 







1 



Therefore the strategy Sa is optimal with respect to a disturbance of size 7 = 1. 

Comparison with existing work. At this point it is convenient to compare our framework 
with the frameworks of Bloem et. al. |5| and of Tarraf et. al. 1*241. Both of these references 
adopt an input-output perspective by relating environment errors (inputs) to system errors 
(outputs). In contrast, we adopt a state-space approach by endowing the set of states with a 
metric and placing no assumptions on the environment other than having bounded power. 

In |5| the authors define the notion of k-robustness for automata. For a reachability 
automaton (A, F) two monotonically increasing functions which map zero to zero are 
defined: an environmental error function e : S* — ^ N U {cxd} and a system error function 
s : S* — >■ NU {cxi}. A pair (e, s) of error functions for a given automaton is called an error 
specification for A. Then a strategy 5 : Q ^ E for A is K-robust with respect to the error 
specification (e, s) if there exists /3 e N such that for all w G S* which label outcomes of 
S, 

s{w) < Ke{w) + p. 

In order to compare Bloem's and Tarraf's results with ours, we resort to some key ideas 
from robust control |26 , 29 1. First, we define an environment error signal e = 6162 ... e„ G 
M* and a system error signal s = S1S2 . . . s„ G M*. The only assumption we place on e and 
s is that an absence of environment errors at time fc G N corresponds to = and the 
absence of system errors at time fc G N corresponds to Sfc = 0. The error functions e and s 
in Bloem's framework can be seen as the cumulative versions of e and s, for example: 

k k 
1=0 1=0 

In Tarraf's framework and notation the role of is played by p{u{i)) and the role of is 
played by fi{y{i)). We now regard an automaton as defining a transformation F : M* ^• 
M* from environment error signals to system error signals F{e) = s. In general F will be 
a set valued function, but we assume it to be single valued to simplify the discussion. 
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Figure 2. The communication network for leadership election. 



The notion of finite-gain stability from robust control can now be introduced as follows: 
A map F : M* M* is said to be finite-gain stable with gain k and bias /3 if the 
following inequality holds: 

n n 

(3) ^i^(e) <K^e + /3 

for every e G M*. A more condensed version of ([3]) is: 

s < Ke + /3 

which is Bloem's notion of K-robustness and Tarraf's notion of p/ ^ gain stability. It is well 
known in robust control and dissipative systems theory that the existence of a certain type 
of Lyapunov function (a storage function) implies finite-gain stability. In the context of 
reachability automata, we define e to be the effect of the environment actions on the state: 

„ 7/ ax ae\ 

Sfc = ,qk )■ 

lf X = e then = ql and e^: = 0, since the behaviour coincides with the nominal 
behaviour under no environment disturbances. For problems of the form <>nF we regard 
F as the set of states describing the desired operation for the system. Hence, any deviation 
from F is regarded as a system error. The system error signal is defined as: 

Sfc = d{qk,F). 

Standard arguments in dissipative systems theory ||26l would then show that: 

s < r\Ke) + Rpiqo) 

where / : — )■ M.^ is some monotonically increasing function satisfying /(O) = and 
K is the Lipschitz constant of Rp. It is also known that finite-gain stability does not imply 
the notion of stability considered in this paper unless certain controllability/observability 
assumptions hold. This follows from the fact that it may not be possible to infer the de- 
crease of Rp at every state only from the knowledge of e and s when not every state can 
be reached from or when s does not provide enough information about the state. 

4. Example 

In this section we recast a classic problem from distributed computing in our framework 
to allow the explicit quantification of the robustness of possible solution strategies. Figure 
|2]shows a network of four computer nodes, each having a two way communication channel 
(represented by an undirected edge in the graph) connected to each of its two neighbouring 
nodes. Each computer in the network has a unique identifier which is presented in the 
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figure. The four nodes are required to elect a leader, and may make use of the commu- 
nication channels to exchange information. In order for a leader to be elected, the nodes 
must come to a unanimous consensus on which of the four nodes is the leader However, 
the communication channels between the nodes are known to be subject to noise, and so 
messages may be corrupted between transmission and receipt, as described below. 

We model the system as an automaton with state set defined by the global state of the 
network. That is, each state in the automaton represents the current belief of the four nodes 
as to who is the leader. Hence Q C {1, 2, 3, 4}^. The initial state is (1, 2, 3, 4). At each 
state, each of the four nodes communicates its current belief to its neighbouring nodes, 
and each node uses this information combined with its own belief about the current leader 
to update its belief. The acceptance condition is a reachability condition with terminal 
set I i G {1,2,3,4}}. There are a number of different strategies which the 

nodes could apply to decide upon a new belief using the information available to them. We 
consider the following three possibilities. 

B: Each node chooses the least of the three values; 

T: Each node chooses the largest of the three values; 

F: Each node chooses the integer part of the average of the three values. 

It is a well known result in distributed computing that choosing either of the first two 
strategies is computationally optimal ifTTll . 

The disturbances in our system are characterized in the following way: beliefs are as- 
sumed to be sent as decimal numbers, and the noise in the channel may cause the value 
of the sent belief to change by ±1. However, we do not allow messages outside of the 
set {1, 2, 3, 4}: for example if a disturbance occurs on the message '1', the recipient will 
receive either '1' or '2'. A distance function on the state set Q is defined by 

d{{xiX2,X'i,X4), (2/1, y2, 2/3, 2/4)) = \xi - 2/1I + \x2 - 2/2 1 + \xz - 2/3I + \xi - 2/4I; 

this is precisely the Manhattan or Li norm. For each node i G {1,2,3,4} we assume 
that only one of the two incoming messages may be affected by the disturbance at any 
given time in order to simplify the presentation, though the methodology applies in the 
same way without this assumption. This combined with our assumption about the power 
of the disturbance on the messages themselves translates into a constant disturbance in our 
automaton model of size 7 = 1. 

Figures [3] and |4] show the metric automata for the three strategies described above. We 
restrict to the reachable part of the automaton. Nominal transitions are represented by 
dashed lines, disturbed transitions by solid. 

We use the function opt described in Section [31 to analyze the robustness of the three 
strategies. First note that strategies B and T, the classical optimal strategies, are 0-robust. 
Indeed, the fixed point iteration gives (T„iin = 0. More interesting is the conclusions we 
may draw for the floor strategy F. Here CTmin = 1, due to the self loops at states 2223 and 
2232. Hence a disturbance bounded by 7 = 1 results in only one node having the wrong 
belief and hence though the nodes do not reach a unanimous decision, they at least are able 
to come to a majority decision. This is obviously a "better" outcome than that resulting 
from only two nodes agreeing on their belief. 

5. Omega-regular objectives 

We now extend the results to more general w-regular acceptance conditions. We do this 
in two steps. First, we provide a simple generalization to Biichi acceptance conditions. 
Then, we show how ideas based on progress measures lfT4l |20]| can be used to provide 



16 



A THEORY OF ROBUST SOFTWARE SYNTHESIS 



Strategy B 





robustness results for parity acceptance conditions. In every case we make an appropriate 
connectedness assumption. 
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5.1. Biichi acceptance conditions. Let {A,F) = {{Q,d),qo,'S,S,X,j,F) be a Biichi 
automaton with acceptance condition F C Q such that A is nominally coreachable with 
respect to F. First note that Biichi acceptance asks that for a trace r e Q'^, the intersection 
of the set ({t) with the set of terminal states is non-empty. So by viewing the Biichi con- 
dition as an infinite series of reachability conditions for the set F, and under Assumption 
|2.3| the definitions and results for reachability also apply in the case of Biichi automata. 

In particular, note that the definition of a control Lyapunov function given in the previ- 
ous section only requires that inequality (|2]l holds for states outside of the set F. A control 
Lyapunov function Rp for a Biichi automaton induces a memory less strategy 5 : Q — > 2^ 
which specifies actions satisfying (|2| for any state in Q \ and any arbitrary action for 
states in F. The strategy S is nominally winning: the argument that F is reached is iden- 
tical to the reachability case, and the coreachability assumption ensures that an arbitrary 
action from F will not prevent F from being visited again. 



Proposition 5.1. Let { A, F) be a finite Biichi automaton satisfying Assumption 2.3 and 
let S be a memoryless strategy. Then S is nominally winning if and only if there exists a 
Lipschitz continuous control Lyapunov function Rp such that S can be induced from Rp. 

Since we are able to cast Biichi acceptance as an infinitely repeated reachability condi- 
tion, the methods for calculating a for a given strategy and optimal achievable robustness 
bounds are identical to the reachability case. 



Proposition 5.2. Let ( A., F) be a finite Biichi automaton satisfying Assumption 2.3 with 
constant disturbance bound and let S be a nominally winning memoryless strategy induced 
from a control Lyapunov function Rp. 

S is a f^^(Kj) /^-robust winning strategy where K is the Lipschitz constant of Rp. 

The robustness bound for a given nominally winning strategy may be calculated in a 
manner identical to that presented for reachability automata. The same is true for the 
optimal and worst case achievable robustness bounds and optimal strategies for a given 
Biichi automaton. 

Example 5.3. Consider the Biichi automaton {A, F) with F = {q^} whose nominal be- 
haviour is shown in Figure [5] Note that this automaton is identical to the reachability 
automaton presented in Figure [T] (Example 2.7 1 with the addition of two new edges be- 



ginning at qq. The distances between the states and the rank functions i?f, : Q 
and Ra ■ Q ^ IRq are as before; their values may be found in Tables [l]and|2] The two 
strategies S";, : Q — E and 5a : Q — ^ E are induced in the same way for states in Q \ i^. 
Observe that a control Lyapunov function for a Biichi automaton does not specify the value 
of the induced strategy for terminal states. There are of course two options, namely a and 
h, leading to the states go and (72 respectively. 

For Sa observe that Ra{qo) < Ra{q2) and so we set Saiqe) equal to a. For the strategy 
Sb, note that Rb{qo) — Rb{q2)- For consistency we set Sb{q6) = b. Then the strategy Sb 
is 5-robust and Sa is 1-robust. 

5.2. Generalized Biichi conditions. We want to generalize the construction of rank func- 
tions to parity acceptance conditions. As a warm-up, we first describe methods for gener- 
alized Biichi acceptance conditions. It is a standard argument in automata theory to reduce 
a generalized Biichi automaton to a Biichi automaton: the resulting automaton will have 
state set Q X {0, . . . , n — 1} where |^| — n. So for a system presented as a generalized 
Biichi automaton, Proposition |5. 1 [ may be applied to an expanded state space, and winning 



18 



A THEORY OF ROBUST SOFTWARE SYNTHESIS 



b 




a, b 



Figure 5 . The undisturbed Biichi automaton 



strategies may be induced. However, we give an alternate "direct" rank function construc- 
tion based on progress measures that will introduce techniques useful in the parity case. 
Calculating robustness directly for generalized Biichi automata has other advantages too: 
for example, given a distance fiinction dona generalized Biichi automaton A, how do we 
lift d to a metric on the new Biichi automaton that makes sense in the context of the original 
system? This question is likely to be difficult to answer in a satisfactory manner. 

Let {A, ^) = {{Q, d),qo, S, 6, X, 7, ^) be a generalized Biichi automaton with ^ = 
{Fci. . . . , Fn-i}- For i = 0,1, ... ,n — 1 let Ri : Q ^ M.^ be a (reachability) rank func- 
tion with respect to the set Fi. Then a (generalized Biichi) rank function R : Q ^ (H^o )" 
is defined by R{q) = {Ro{q), Ri{q),. . . , Rn-i{q)) for each q G Q. 

We extend the notion of Lipschitz continuity for functions in the obvious way: a func- 
tion R: Q ^ (H^o )" is Lipschitz continuous if there exists K > such that for each 
i e {0, . . . , n — 1} and for all q,q' G Q it holds that 

mq)-R^{q')\<Kdiq,q'). 

As before, if the set Q is finite then every real valued function of this form has this 
property. 

A relation and ordering on n-tuples of positive reals is defined as follows. For ev- 
ery i e {0, 1, . . . , n - 1} define the preorder on (M^J")": let a,b € (M^j")" with a = 
{ao, ■ . . , a„_i) and b = {bo, . . . , 6ri-i)- Then a >' 6 if and only if Ui > bi. We also 
let a 6 if and only if > 6^. Based on >* we introduce another relation on (R,^)", 
denoted by and defined by a ►* 6 if and only if one of the following two conditions 
holds: 

a >' 6 or a(i_i) ^od n = 0. 

Observe that, since the labeling of the sets in F begins at instead of 1, the relation >° 
corresponds with the 1st index of the n-tuple, >^ corresponds with the 2nd index, and so 
on. 
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Proposition 5.4. Let A be a finite generalized Bilchi automaton with acceptance condition 
^ = {Fq, . . . , Fn-i}. If a trace r — (j'o9i'?2 ■ ■ ■ is such that 

R{qo) R{qi) R{q2) ■ ■ ■ R{m„) R{q^o+l) • • • 

. . . i?((7, J ^2 ^2 . . . 

(4) ...►"-ii?(g,„_J^Oi?((z,„_,+i)... 

then T satisfies the generalized Buchi acceptance condition 

Proof. Let r be a trace of the form given above. By definition, if two consecutive relations 
in Q have different indices (say k and fc + 1) then the state appearing between them must 
be contained in the set Fk- Hence 

qio e -Fq, e -Fi, • • ■ , 9i„_i € -F„_i, . . . , 
and r infinitely often features a state in each of the sets in □ 

Intuitively, a trace of this form is initially moving towards the set Fq via the relation 
Once a state in the set Fq is reached, the second part of the definition of ► applies and ► ^ 
is satisfied until a state in the set Fi is reached. On reaching a state in the set F„_i, the 
relation returns to and so on. 

Note that the other direction does not necessarily hold: a winning trace will not neces- 
sarily have the above form. For example, the trace may visit the sets in a non-sequential 
order, or may visit multiple states from each set on each pass through the automaton. 

For brevity, we introduce some more notation. Let d{q, ^) denote the vector valued 
distance 

d{q,^) = {diq,Fo),d{q,Fi),d{q,F2),...,d{q,Fn^i)). 

A generalized Biichi rank function R is said to be a control Lyapunov function if there 
exists a monotonically increasing function / ; M.'^ with /(O) = such that for 

every i £ {0, 1, . . . , n — 1} and every q E Q \ Fi there exists a e S with 

R{qn^m ~f{d{q,^)). 

For a fixed i, the function Ri is a reachability control Lyapunov function with respect 
to the set F^. Hence every state q E Q is coreachable with respect to the set Fi for every 
i E {0, . . . ,n — 1} and the automaton A satisfies Assumption 2.4 To see that this is 



necessary, consider for example a state q E Q from which the set Fi is not reachable 
for some i > 0. Then any state coreachable with respect to q, and any state reachable 
from q, may not appear on a winning trace. Hence all such states are redundant (including 
q). These definitions are the natural extension of those given for reachability and Biichi 
automata. 

Generalized Biichi automata do not admit memoryless strategies; a winning strategy 
must keep track of the index i + 1 where i is the index of the last terminal set Fi which was 
visited on the trace. Therefore a strategy for a generalized Biichi automaton {A, J^) is a 
function S : Q x {0, . . . , n — 1} 2^ where for every i E {0, . . . , n — 1}, the restriction 
S{-,i) is a memoryless reachability strategy, and may be induced from Ri. 

Pro posi tion 5.5. Let { A, ^) be a finite generalized Biichi automaton satisfying Assump- 
tion 



2.4 



and let S : Q X {0, . . . ,n — 1} ^ 2^ be a memoryless strategy. Then S is nomi- 
nally winning if and only if there exist Lipschitz continuous rank functions Ri : Q Rq 
for i — 0,1, . . . ,n — 1 and a control Lyapunov function R = {Ro, • • ■ , Rn-i) for [A, ^) 
such that S may be induced from R. 
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Proof. Straightforward generalization of Proposition [5?T] □ 



For automata with constant disturbance bounds we have the following. 

Proposition 5.6. Let { A, J^) be a finite generalized BUchi automaton satisfying Assump- 
tion \2.4\ with constant disturbance bound 7 and let S be a nominally winning memoryless 
strategy induced from a control Lyapunov function R^. The strategy S is a-robust where 

for K = maxi=o,....n-i Ki where Ki is the Lipschitz constant of the rank function Ri. 

Proof. Assume that is a control Lyapunov function for {A, ^) and let S* be a nom- 
inally winning memoryless strategy induced from R^^. Let T be a disturbance strategy. 
Proposition |5.2| implies that 

Riq^'Riq) Kri-f{d{q,^)) 

for every q € T\Fi where r G is any outcome resulting from S and T and with Ki the 
Lipschitz constant of Ri with respect to d. Hence S is a^-robust for ai = f~^{Ki^) with 
respect to Fi and therefore the robustness of S is certainly bounded by a as required. □ 

For generalized Biichi automata with state dependent disturbance bounds the verifica- 
tion of robustness for a strategy and the calculation of optimal robustness bounds is done 
in a similar manner to the reachability case. Let [A, be a generalized Biichi automaton, 
and assume Q — {goi • • ■ , 9m-i} and \,^\ = n. Instead of a vector, we define opt'^ to be 
an m by n matrix. Letting opt'^{j, k) denote the entry in the jth row and fcth column of 
opt'^, we let opt'^{j, k) — d{qj, Fk~i) for j = 1, . . . , m and k = 1, . . . ,n. This is the 
natural generalization of the definition for reachability and Biichi conditions where only 
one terminal set is considered. Then the monotonic function g : (M(j")™^" (M(]")™^" 
is defined on each index {j, k) of the matrix opt'^ by 

5(opt)(7, fc) = min opf(j, fc), min max opt{i,k) 

- ' \ aeS iePostaiqj) 

That the operator repeatedly applied beginning with opt'^ converges to the required value 
follows easily from the reachability case. 

Given a nominally winning strategy S for a finite generalized Biichi automaton {A, ^) 
the robustness bound a may be recovered by first calculating opt* for the restricted au- 
tomaton A\s. Then 

maxk=i,...,nOpt*{0,k) 
c = _ . 

7 

For optimal strategy synthesis we calculate the minimal achievable robustness bound as 

^ maxk=i ^,,,^n opt* {0,k) 

7 



The method of induction of the strategy 5 is a straightforward generalization of the ap- 
proach presented for reachability and Biichi automata. 
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5.3. Parity conditions. The simple notions of rank and progress defined previously are 
insufficient to capture the complexity of parity acceptance conditions. Instead we gen- 
eralize progress measures for parity games flT, '201. Note that, for clarity of exposition, 
all results in this section are presented for deterministic strategies only. The extension to 
non-deterministic strategies is straightforward. 

Recall that Assumption |2.5| asks only that every state in q is nominally coreachable with 
respect to some set of even parity F2i, and if q has odd parity, we assume that 2i is less than 
the parity of q. This is the least restrictive generalization of the coreachability assumptions 
made for simpler acceptance conditions. A consequence is that we extend the distance 
function d to allow states of infinite distance from each other. Let — M.^ U {oo}, the 

extended positive reals. Then d : Q x Q — > is an extended distance function. 

Let (A, ^) = {{Q, d), qQ, E, S, X, 7, ^) be a parity automaton with 
^ = {Ff), Fi, . . . , i^2ri+i}- Denote by d{q, J^) the vector valued distance 

d{q,.^) = {diq,Fo),d{q,F2),d{q,Fi),...,d{q,F2n)). 

Let >- denote the lexicographic ordering on n + 1 tuples over the extended positive real 
numbers, and let denote the lexicographic ordering restricted to the first i components. 
We define in the obvious way: a 6 if a is either greater than b in the lexicographic 
ordering or equal to b. For a,b £ (Mq )"+ define a 6 if and only if there exists 
i e {0, 1, . . . ,n} such that either 

(i) : q G F2i+i and a 6 or 

(ii) : q E F2i and a ^' b or 

(iii) : q ^ Uje{o....,2n+i} ^d a ^ &. 
We call \> the parity progress measure. 

A (parity) rank function : Q is a function with R^^{q) if and 

only if g € F2i (where the notation i?^ [q) denotes the ith component of the image of q 
under R,^) and there exists a monotonically increasing function a : — > such that 
a(0) = and 

a{d{q,F,))<R',^{q) 

for all (7 € Q, i € {0, ... , n}. Hence a parity rank function consists of n + 1 reachability 
rank functions defined upon the extended positive real numbers. 

Let Q C (Fq U F2 U . . . U F2n) denote the set of states of even parity from which a 
state of lower or equal even parity cannot be reached. That is, Q contains all states q S F2i 
for some i E {0, . . . ,n} such that there does not exist k < i with some state q' E F2k 
reachable from q. 

A rank function i?^ for a parity automaton {A, ^) is a control Lyapunov function if 
there exists some monotonically increasing function / : (Mq )"+^ (^o )"+^ satisfyindl 
j^QM+i-j _ QM+i g^^JJ jjj^j j-Qj. every j E {1, . . . , 2n + 1} and every q E Fj\Q there exists 
a e E with 

(5) R^{qn-R^iq)^' -f{d{q,^)) 

for some 2i < j. 

The next proposition demonstrates that the parity progress measure > is correct. Since 
the parity acceptance condition looks only at infinite behaviour on a trace, and we consider 
only automata with finite state sets, necessarily any infinite trace consists of a finite simple 



where 0"+^ denotes the ra + 1 tuple consisting of zeroes. 
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(loop-free) prefix followed by an infinite sequence of repeated loops. This observation is 
key to the proof. 

Proposition 5.7. Let t — qoqi<l2 • ■ • G be an infinite trace of the parity automaton 
{A, Then if 

(6) i?^(Qo)>"'i?^(9i)>^^i?^(g2)..-, 

T is winning with respect to . Moreover, if the set of indices / C N such that R^^{qi) 
R^(qi^i) does not hold is finite, then t will be winning with respect to ^ . 

Proof. Let pi, . . . ,pm G Q be such that 



and let 



min {i \ pj S V pj G Fsj+i}. 
je{i....,m} 



By definition 

(8) R^ipi) R^{p2) h'' ■■■h'' R^{Pm) R^{pi). 

Let j e {1, . . . ,m} be such that pj e i^2fe+i or pj e i^2fe. If Pj G F2k+i then one 
of the inequalities in (jsjl must be strict and hence R^{pi), a contradiction. 

Therefore pj E F2k and the least parity appearing in the loop pi . . . PmPi must be even. 
This is sufficient to prove that any infinite trace t G satisfying (j6]) also satisfies the 
parity condition 

Now assume that the set / is non-empty and has finite cardinality. Since / is finite there 
exists some N E N such that for all k > N , R,^{qk) \>^^ R,^{qk+i) holds. Let denote 



the suffix of r whose first state is q^. Then by Proposition 5.7 the lowest parity in the set 



C(tjv) is even, and since = ((tn) the result follows. □ 

As we observed before the proposition, a nominally winning infinite trace of a finite 
state parity automaton is necessarily comprised of a finite simple prefix followed by an 
infinite series of repeated loops. It is then straightforward to argue that the least parity 
appearing on any such loop must be even. Continuing on this line of thinking one observes 
that any such repeated loop comprising part of an infinite trace satisfying (|6]l must consist 
entirely of even states. Hence a trace of this form will feature odd states only finitely often. 

Proposition 5.8. Let r — qoqiq2 ■ . . G be an infinite trace of the parity automaton 

{A,.nif 

(9) R.^{qk+l) - R.^{qk) ~I{d{qk, ^)) 

for all qk & Q\Q appearing on t and Q is finite then t satisfies ,^ . 

Proof. Let 9^ G (5\ Q. If 9fc G F^i for some i then (jojl implies that R^{qk) R^{qk+i) 
and qk [>'^'° qk+i as required. 

Instead assume that qk G Fj for some j odd. The function f{d{qk, J^)) restricted to 
any i G {0, . . . , n} is non-zero, and so R^{qk+i) -<* R,^{qk) for some 2i < j and hence 
for all / satisfying i < I < j. Therefore R^{qk) \>'"' R,^{qk+i). 

Finally let qk & Q and qk G F2i. Then qk and qk+i need not satisfy (joj) and so may not 
satisfy the parity measure [>. Since q E Q there exists no / > fc such that qi ^ qk. Indeed, 
if this were the case, it would contradict our assumption that a finite trace connecting qk 
to a state of lower or equal parity does not exist. Since the cardinality of Q is finite there 
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exist only a finite number of indices I G N such that R^{qi) [>'^' R^{qi+i) does not hold 
and Proposition |5 . 7 1 yields the result. □ 

Given a control Lyapunov function i?,^ for a parity automaton {A,J^) a deterministic 
memoryless strategy S* : Q — > E induced from may be defined as follows. Let q G Q. 

(i) : If <7 e Q \ Q choose S{q) = a such that R^{q'^'^) satisfies (jojl and is minimal 
with respect to the lexicographic ordering. 

(ii) : If g e Q set S{q) — a for any a G S. 



Theorem 5.9. Let [A, ^) be a finite parity automaton satisfying Assumption 2.5 and let 
S : Q ^ T, be a deterministic memoryless strategy. Then S is nominally winning if and 
only if there exists a Lipschitz continuous control Lyapunov function R^ such that S may 
be induced from R^. 

Proof. That a strategy induced from a control Lyapunov function is nominally winning 
follows immediately from Proposition [5^ So let 5* : Q — > S be a deterministic memo- 
ryless nominally winning strategy for {A, JF). In order to synthesize a control Lyapunov 
function from which S may be induced, the state set Q is partitioned into n + 1 pieces, 

Q = i^Ui^U ...Ui^ 

where the sets for i = 0, . . . , n are defined as follows. For g G Q, let i G {0, . . . ,n} 
be the least such that there exists a trace resulting from applying 5 in A connecting g to a 
state in the set F2i. Then the state q is contained in F2, . Since we assume that a state of 
even parity may be reached from all states in Q, the resulting sets form a partition. 

We construct from {A, ^) a weighted digraph (Q, E). An edge (g, Xq, q') is contained 
in the edge set E if and only if g G F2i \ F2i for some i £ {0, . . . , n} and 5{q^ S{q), e) = 
q' . Let T] : Rq be a monotonically increasing function with 77(0) = 0. The value 

= {^0^ Xi, . . . , x„) £ (M([)"+^ is defined as follows: 

• for all j € {0, . . . ,n} with j > i, Xj = ri{d{q, i^2j)) ; 

• for all j £ {0, . . . ,n} with j < i, Xj = 00. 

Define R : Q ^ i^tT^^ where for q £Wi\ F2^, R{q) = Y^q-er ^q' where t £ Q* 
is the unique trace connecting q to some state in F2i resulting from applying the strategy 
Sin A. 

Let Fd = Ur=o(-^2j n F2i), the set of states for which the function R has not been 
defined. Notice that it is not necessarily the case that Fd = F. These states are precisely 
those states of even parity from which a state of lower or equal even parity cannot be 
reached - that is, Fd coincides precisely with the set Q. For g e Q set R^{q) — where 
q £ F2i, R^ {q) = d{q, F2j ) for j > i and R^ (q) = 00 for j < i where j £ {0, . . . , n}. 

We once again observe that for all q £ Q\Q 

R{6{q,S{q),e))~R{q) -~v{d{q,^)) 

for some i depending on q. Hence i? is a control Lyapunov function. 

Since the choice of input for q £ Q may be arbitrary for a strategy induced from R, the 
result follows. □ 

The following result takes advantage of the extra flexibility resulting from a partial 
colouring of the state set. If each set F2i for i = 0, . . . , n has only non-parity states in 
its immediate neighbourhood, the sets may be inflated without overlap to ensure that a 
strategy induced from a control Lyapunov function is winning for an inflated acceptance 
condition as defined below. 
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Theorem 5.10. Let (A, J^) be a finite parity automaton satisfying Assumption 2.5 with 
constant disturbance bound 7 and let S be a deterministic memoryless strategy induced 
from a control Lyapunov function R^. Further, let F = U^=o^ such that F C. Q 

and for all i G {0, . . . , n} if q ^ F2i and f{d(q, F2i)) < then q ^ F. Then S is a 
a -robust winning strategy for a = f^^{Kj) /^. 

Proof Assume first that i?^ is a Lipschitz continuous control Lyapunov function for 
(A, J?) and let 5 be a deterministic memoryless strategy induced from R^. Let T be 
a disturbance strategy and let t G Q'^ be the unique nominal outcome resulting from S 
and T. An argument similar to the one used in Theorem [TT] implies that for each q e r 

(10) R^qn - RAq) [Kliqn. ■ ■ -.K^iq^) " f{d{q, ^))- 

Let 2i be the least colour appearing infinitely often on r and define F!^^ = G Q | 



d{q^ F2i) < 177} for i = 0, . . . , n. Inequality ( 10 1 implies that r will visit infinitely often 
states in the set F!^^ in A. Since, by assumption, states in F!^^ \ F2i are not contained in F, 
the inflation from F2i to F2i will not cause any state to have more than one parity, and we 
conclude that the strategy S is cr-robust. □ 

For parity automata with state dependent disturbance bounds we again use the operators 
g and g, but this time with some modifications to take advantage of the progress measure 
[>. As for the case of reachability automata, opt^ is defined to be a vector of size m over the 
positive reals, however this time we let opt^{j) = {d{qj, FQ),d{qj, F2), . . . , d{qj, F2n)) 
where ^ — {Fq, Fi, . . . , i^2n+i}- The operators g and g are defined in the same way as 
for reachability automata but the underlying ordering used for the minimum operation is 
the lexicographic ordering on the n + 1-tuples instead of numerical ordering as in previous 
cases. This alteration will not affect the complexity of the algorithm. 

For a nominally winning strategy S for a finite parity automaton {A, ^), a may be 
recovered by calculating opt* for A\s- We abuse previous notation and let opt{j, k) denote 
the fc-th index in the n + 1 tuple appearing on the jth line of the vector opt. Then 

maxfc=i,....„+i opt*(0, k) 
a = . 

7 

Then if = is such that F C g and for alH e {0, . . . ,n} if q ^ F2t and 

d{q, F2i) < 177 then q ^ F, the strategy S is cr-robust. 

For optimal strategy synthesis we first restrict the automaton A with respect to the 
progress measure \>. For all g e Q, a e A(g) if and only if opto{j) [> opto{j') where 
5{q, a, e) = qj'. We denote the automaton restricted in this way by j4|[>. Calculating opt* 
for ^||>, the optimum achievable value of a is recovered as 

^ minfc^i^...,„+i opt*(0, fc) 

7 

The method of induction of the strategy 5 is a straightforward generalization of the ap- 
proach presented for previous acceptance conditions. Again one must check the separation 
of the even parity sets with respect to the distance function d to ensure that the resulting 
strategy will be robust. 

6. Application: Transient faults 

Transient faults, such as single-event upsets, are unpredictable disturbances in electronic 
systems that can cause bits in an electronic circuit to flip. They are becoming more relevant 
in electronic systems design due to reductions in feature sizes ll6l [T6ll22]| . We show that 
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Strategies synthesized using control Lyapunov functions are robust to infinitely occurring 
transient faults provided they occur infrequently enough. 

Let G N. A disturbance strategy T : x T, ^ X is N -bounded if, whenever 
T{T,a) ^ e and T{t' ,h) ^ e for traces r, r' € Q* with r a proper prefix of r' and 
a, 6 e S, we have |r'| — |t| > N. Intuitively, disturbance strategies are A/'-bounded if any 
two occurrences of (non-trivial) disturbances are separated by at least N steps. 

Let ^ be an automaton and F a (Biichi or parity) acceptance condition. Our main result 
is that for sufficiently large (but finite) N, a nominally winning strategy induced from a 
control Lyapunov function is wiiming against A'^-bounded disturbance strategies. 

Proposition 6.1. Let A be an automaton, F a Biichi acceptance condition and ^ a parity 
acceptance condition. 

(i) : Let Rp be a control Lyapunov function for the Biichi automaton {A, F) and 
let S be a a-robust deterministic strategy induced from Rp. Then S is winning 
against every N-bounded disturbance strategy with N > maxq^p' \T^{q,F)\ 
where F' = {q€Q\ d{q, F) < aj}. 

(ii) : Let R,^ be a control Lyapunov function for the parity automaton { A. W) and 
let S be a a-robust strategy induced from R^. Then S is winning against every 
N-bounded disturbance strategy, where 

oo>N> max (max ({\t'=^ {q, F2i)\ : q G F^^} nR)) 

i—0,...,n 

forF^, = {qeQ\d{q,F2,)<a-f}. 

In (ii) it is important that the value of N is finite. Indeed, that A'" is not finite is a 
possibiUty since there may exist sets of even parity which are not reachable from a given 
state q G Q. 

Proof. For (i), we show that for any q G Q there exists a finite trace in A connecting q to 
F resulting from applying S. 

First let g S Q be such that d{q, F) > 0-7. Then since S is cr-robust there exists a unique 
finite trace T^{q, F) ending at some state q' G Q such that d{q', F)) < 0-7, regardless of 
how frequently the fault occurs. 

Now assume q G Q is such that d{q, F) < aj. By assumption if the unique trace 
T^iqo, {q}) is such that q = p"^ for some x ^ e, that is, the state q was reached due to 
the effects of a fault, the next A'^ transitions on the trace will be nominal, that is, x = e. By 
definition of A^ and S the resulting subtrace of length A^ will visit a state in the set F. 

Assume instead that q = p"^ F. If the next state 5" ^ on the trace resulting from 
S is such that x = e then ^ will satisfy diq"' ^) < 0-7 and the same argument may be 
applied. Therefore if no fault occurs for the next A^ transitions some state in the set F 
will be reached. If a fault occurs, a state in the set F will be reached in the A?^ transitions 
following the fault. 

If X ^ e then either d{q'^'^,F)) < 0-7 in which case the above argument applies, or 
d{q'^^,F) > (77 and the first argument appUes. So we conclude that the strategy S is 
winning in the automaton A against an A'^-bounded disturbance strategy. 

For (ii) the argument is similar. If q has even parity then the result follows. Assume 
instead that q G Fj with j odd. If for i e {0, . . . , n}, 00 > d{q, F2i) > 0-7 with 2i < j 
then since S is (T-robust there exists a finite trace resulting from S connecting q to some 
state q' satisfying d{q' , F^k) < c^l for some fc G {0, . . . , n} regardless of how frequently 
the fault occurs. 
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Now assume q and i E {0,. .. ,n} are such that 2i < j and d{q,F2i) < <tj. By 
assumption if the trace resulting from S connecting qq to q is such that q ~ p"^ for some 
p € Q, a € E and x E X \ {e} the next N transitions will be nominal and the resulting 
subtrace will feature a state in the set F2i. If instead q ~ p""^ then either 

(i) : the next state on the trace is contained in a set F2i for some 2i < j and we are 
done; 

(ii) : ^ -Fji for some i and x e and a state in a set of lower even parity will be 
reached in the next N steps or 

(iii) : the next state g"^ is such that x = e. Then the argument is repeated: if a fault 
does not occur for the next N transitions then a state in a set of lower even parity 
will be visited. If a fault occurs, a state of even parity will be visited in the next N 
transitions following the fault. 

Therefore a strategy S induced from a Lipschitz continuous control Lyapunov function 
is winning for the parity automaton {A, ^) against an A^-bounded disturbance strategy. 

□ 

Compare the above result to the equivalent bound one might establish for a strategy 
induced from a classical shortest path rank function in a Biichi automaton: in this case 
the value of N must be greater than the length of the longest simple path connecting a 
state in Q to a state in F. In our result N is defined with respect to a potentially much 
smaller subset of Q. Since the bound is a monotonically increasing function of the 
environmental error 7 this result provides a bridge between the state based view of faults 
and the running time of the system: a less powerful fault may occur more frequently than 
a more powerful one without disrupting a well designed strategy. 

7. Discussion 

We have presented a theory of robustness for w-regular properties of automata. We 
have considered both deterministic and non-deterministic memoryless strategies, and dis- 
turbances whose power is bounded universally across the whole system, or bounded de- 
pendent upon the current state. In every case we provide methods to explicitly calculate 
and guarantee robustness of given strategies, as well as polynomial time algorithms to syn- 
thesize optimally robust strategies for a given system. There are two natural extensions 
to our work. First, in our model, bounded disturbances are the only source of adversarial 
interaction. The presence of additional adversaries leads to (more complex) algorithms 
for solving two-player games ||3][30l. We believe our simpler model is already applica- 
ble in many settings — we are inspired by similar models in continuous control — and our 
polynomial-time algorithms render our results applicable in practice. It would therefore 
be of interest to see how our results extend to a setting in which additional adversarial 
influences exist. 

Second, how can we combine our results on automata with the existing theory of robust 
control for continuous systems? We believe that by consolidating some of the recently 
reported results 1231 l28l on the existence of automata based abstractions of continuous 
control systems with the methods presented here we can expect to obtain a comprehensive 
robustness theory for cyber physical systems. 
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